CVE-2026-34225: open-webui: blind SSRF via image-edit URL fetch

GHSA-jgx9-jr5x-mvpv MEDIUM
Published July 7, 2026
CISO Take

open-webui's image-edit endpoint blindly fetches any user-supplied URL server-side, with no restriction against private/internal address space (CWE-918), letting an authenticated user turn the server into a proxy for scanning the local network. This is a medium-severity, low-complexity flaw (CVSS 4.3, AC:L) that any low-privileged account can trigger, and while the SSRF is blind, response differentials reliably reveal which internal ports are open, and any of the 113 other CVEs on this package's history plus the fact that open-webui runs with broad network access make this a meaningful reconnaissance primitive rather than a curiosity. EPSS sits in the top 87th percentile for likelihood but there's no public exploit code, no Nuclei template, and it isn't in CISA KEV, so this is not an active-exploitation emergency — treat it as an infrastructure hardening gap. No patched version is listed yet (affects <= 0.7.2), so mitigate now by blocking outbound requests from the open-webui host to RFC1918/localhost/link-local ranges (including the cloud metadata IP 169.254.169.254) at the network layer, and watch GHSA-jgx9-jr5x-mvpv for an official fix.

Sources: NVD GitHub Advisory EPSS ATLAS

What is the risk?

Low-to-moderate risk in isolation: the flaw requires an authenticated (even low-privilege) account, has low attack complexity, and yields no direct data disclosure because the SSRF is blind — impact is limited to confirming open/closed state of internal ports. Risk rises sharply in environments where open-webui is deployed with unrestricted network reach to sensitive internal services (databases, internal APIs, cloud metadata endpoints, orchestration tooling), since the port-scan capability becomes a stepping stone for identifying secondary targets. The lack of a public exploit or KEV listing keeps urgency moderate, but the trivial exploitation mechanics (a single crafted POST) mean it will be easy to weaponize once attention increases.

How does the attack unfold?

Initial Access
Attacker with a valid (even low-privilege) open-webui account sends a crafted image-edit request with an internal URL as the image source.
AML.T0049
SSRF Trigger
The backend's load_url_image function blindly performs a server-side GET to the attacker-supplied URL with no restriction on private/internal address space.
Internal Reconnaissance
By iterating targets and observing success/failure differentials, the attacker builds a map of open ports and live services on the internal network reachable from the open-webui host.
AML.T0075
Potential Secondary Impact
If a discovered internal service exposes unauthenticated state-changing GET endpoints, the attacker can trigger limited unauthorized actions blindly through the SSRF channel.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.7.2 No patch
144.2K Pushed 5d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
4.3 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 13% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I None
A None

What should I do?

1 step
  1. There is no patched version currently listed, so mitigation is primarily network-level: enforce egress filtering/allowlisting on the host running open-webui so it cannot reach RFC1918 ranges, localhost, link-local addresses, or cloud metadata IPs (169.254.169.254); place the service behind an outbound proxy that denies internal destinations; and segment open-webui away from sensitive internal services regardless of application-layer fixes. Application-side, disable or restrict the image-edit-via-URL feature if it isn't business-critical, and monitor for a fix landing at GHSA-jgx9-jr5x-mvpv to upgrade once available. Detection-wise, alert on outbound HTTP requests from the open-webui process/container to internal IP ranges or on unusual bursts of failed/successful GETs consistent with port-scan patterns in application or network logs.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security controls
NIST AI RMF
MEASURE 2.7 - AI system security and resilience evaluation
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-34225?

open-webui's image-edit endpoint blindly fetches any user-supplied URL server-side, with no restriction against private/internal address space (CWE-918), letting an authenticated user turn the server into a proxy for scanning the local network. This is a medium-severity, low-complexity flaw (CVSS 4.3, AC:L) that any low-privileged account can trigger, and while the SSRF is blind, response differentials reliably reveal which internal ports are open, and any of the 113 other CVEs on this package's history plus the fact that open-webui runs with broad network access make this a meaningful reconnaissance primitive rather than a curiosity. EPSS sits in the top 87th percentile for likelihood but there's no public exploit code, no Nuclei template, and it isn't in CISA KEV, so this is not an active-exploitation emergency — treat it as an infrastructure hardening gap. No patched version is listed yet (affects <= 0.7.2), so mitigate now by blocking outbound requests from the open-webui host to RFC1918/localhost/link-local ranges (including the cloud metadata IP 169.254.169.254) at the network layer, and watch GHSA-jgx9-jr5x-mvpv for an official fix.

Is CVE-2026-34225 actively exploited?

No confirmed active exploitation of CVE-2026-34225 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34225?

There is no patched version currently listed, so mitigation is primarily network-level: enforce egress filtering/allowlisting on the host running open-webui so it cannot reach RFC1918 ranges, localhost, link-local addresses, or cloud metadata IPs (169.254.169.254); place the service behind an outbound proxy that denies internal destinations; and segment open-webui away from sensitive internal services regardless of application-layer fixes. Application-side, disable or restrict the image-edit-via-URL feature if it isn't business-critical, and monitor for a fix landing at GHSA-jgx9-jr5x-mvpv to upgrade once available. Detection-wise, alert on outbound HTTP requests from the open-webui process/container to internal IP ranges or on unusual bursts of failed/successful GETs consistent with port-scan patterns in application or network logs.

What systems are affected by CVE-2026-34225?

This vulnerability affects the following AI/ML architecture patterns: model serving, LLM web UI / chat interfaces, internal AI infrastructure networks.

What is the CVSS score for CVE-2026-34225?

CVE-2026-34225 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.23%.

What is the AI security impact?

Affected AI Architectures

model servingLLM web UI / chat interfacesinternal AI infrastructure networks

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0075 Cloud Service Discovery

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

### Summary There is a blind server side request forgery in the functionality that allows editing an image via a prompt. The affected function will perform a GET request on the URL provided by the user. There is no restriction on the domain of the provided URL allowing the local address space to be interacted with. Since the SSRF is blind (the response cannot be read) impact is port scanning of the local network because it can be confirmed if the port is open based on if the GET request failed. ### Details The vulnerability occurs here: https://github.com/open-webui/open-webui/blob/2b26355002064228e9b671339f8f3fb9d1fafa73/backend/open_webui/routers/images.py#L850-L916 Line 911 shows the user provided URL passed to the function `load_url_image`. Within this function on line 883 HTTP/HTTPs URLs are trusted blindly and called asynchronously with `requests.get`. ### PoC The vulnerability can be reproduced with the following curl command: ``` curl -X POST http://localhost:3000/api/v1/images/edit \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{"form_data":{ "image": "<url>", "prompt": "poc"} }' ``` ### Impact Response differentials can be used to port scan the local network: <img width="3016" height="736" alt="image" src="https://github.com/user-attachments/assets/93b4df52-b23c-4ed7-a5fa-9cbedb30091c" /> This can be automated to iterate through the entire port range to determine open ports. If the service running on an open port can be inferred the user may be able to interact with it in a meaningful way if the service offers any state changing GET request endpoints. ### Remediation Restrict provided URLs from local address space.

Exploitation Scenario

An attacker who holds any valid, even low-privileged, open-webui account (obtained via credential stuffing, an open self-registration flow, or an intentionally provisioned test user) issues repeated POST requests to /api/v1/images/edit, substituting the image URL with internal targets such as http://10.0.0.5:6379, http://localhost:8500, or http://169.254.169.254/latest/meta-data/. By observing which requests succeed versus fail (or differ in timing), the attacker builds a map of live internal hosts and open ports — Redis, etcd, internal admin panels, cloud metadata — all without ever seeing response bodies. If any discovered service exposes an unauthenticated, state-changing GET endpoint (e.g., a cache-flush or admin-action URL), the attacker can trigger it blind, turning pure reconnaissance into limited unauthorized action against internal infrastructure.

Weaknesses (CWE)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Timeline

Published
July 7, 2026
Last Modified
July 7, 2026
First Seen
July 7, 2026

Related Vulnerabilities